So, what is an OpenID Extension?
Dick Hardt
Dick.Hardt at microsoft.com
Thu Aug 13 15:04:47 UTC 2009
In AX you can define any attribute you want. The attribute could be a URL that enables one site to request the data directly.
________________________________
From: openid-specs-bounces at lists.openid.net [openid-specs-bounces at lists.openid.net] on behalf of Nat Sakimura [sakimura at gmail.com]
Sent: Thursday, August 13, 2009 8:03 AM
To: James Henstridge
Cc: OpenID Specs Mailing List
Subject: Re: So, what is an OpenID Extension?
Hmmm. So, there is no way we can do direct communication in an extension?
What I want to do is to send the large payload directly between the servers and move only the reference through OpenID Authn request and response so that
1) mobile clients will not choke.
2) is going to be more secure.
In AX, there is a notion of update_url, but is that also used only for indirect communication through browser?
I feel that it is extremely limiting if we cannot do the server to server communication.
If that is not a possibility, then I should probably do the server to server portion elsewhere, and just do the reference/artifact moving through OpenID AuthN, but that sounds like OpenID strangling itself.
=nat
On Thu, Aug 13, 2009 at 11:01 PM, James Henstridge <james at jamesh.id.au<mailto:james at jamesh.id.au>> wrote:
On Thu, Aug 13, 2009 at 8:05 AM, Nat Sakimura<sakimura at gmail.com<mailto:sakimura at gmail.com>> wrote:
> I blogged bout the subject here:
> http://www.sakimura.org/en/modules/wordpress/index.php?p=91
>
> What would be the consensus here?
My reading of the spec (and what I believe is the author's intent) is
that OpenID extensions do indeed piggyback on an authentication
request. The note about including the extension's type URI in XRDS is
a way that an OpenID provider can advertise support for the extension.
Note that in OpenID 2.0, sending openid.identifier in an
authentication request is optional. So you could potentially use an
extension without actually authenticating as a particular user. From
section 9.1:
"""
"openid.claimed_id" and "openid.identity" SHALL be either both present
or both absent. If neither value is present, the assertion is not
about an identifier, and will contain other information in its
payload, using extensions (Extensions).
"""
James.
--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090813/7864fdb4/attachment.htm>
More information about the specs
mailing list